These two patches fix defects found by coverity scan. Main changes from v3: - Add coverity issue number Main changes from v2: - Fix coding style issue Wei Huang (2): raw/ifpga: terminate string filled by readlink with null raw/ifpga: use trusted buffer to free drivers/raw/ifpga/ifpga_rawdev.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) -- 2.7.3
readlink() does not terminate string, add a null character at the end of the string if readlink() succeeds. Coverity issue: 362820 Fixes: 9c006c45d0c5 ("raw/ifpga: scan PCIe BDF device tree") Signed-off-by: Wei Huang <wei.huang@intel.com> --- v2: fix coding style issue v3: add coverity issue number --- drivers/raw/ifpga/ifpga_rawdev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index 0385514..f9de167 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -230,8 +230,9 @@ static int ifpga_rawdev_fill_info(struct ifpga_rawdev *ifpga_dev, memset(link, 0, sizeof(link)); memset(link1, 0, sizeof(link1)); ret = readlink(path, link, (sizeof(link)-1)); - if (ret == -1) + if ((ret < 0) || ((unsigned int)ret > (sizeof(link)-1))) return -1; + link[ret] = 0; /* terminate string with null character */ strlcpy(link1, link, sizeof(link1)); memset(ifpga_dev->parent_bdf, 0, 16); point = strlen(link); -- 2.7.3
In rte_fpga_do_pr, calling function read() may taints argument buffer which turn to an untrusted value as argumen of rte_free(). Coverity issue: 279449 Fixes: ef1e8ede3da5 ("raw/ifpga: add Intel FPGA bus rawdev driver") Signed-off-by: Wei Huang <wei.huang@intel.com> --- v2: add fixes information to log v3: add coverity issue number --- drivers/raw/ifpga/ifpga_rawdev.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c index f9de167..27129b1 100644 --- a/drivers/raw/ifpga/ifpga_rawdev.c +++ b/drivers/raw/ifpga/ifpga_rawdev.c @@ -786,7 +786,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, int file_fd; int ret = 0; ssize_t buffer_size; - void *buffer; + void *buffer, *buf_to_free; u64 pr_error; if (!file_name) @@ -818,6 +818,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, ret = -ENOMEM; goto close_fd; } + buf_to_free = buffer; /*read the raw data*/ if (buffer_size != read(file_fd, (void *)buffer, buffer_size)) { @@ -835,8 +836,8 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id, } free_buffer: - if (buffer) - rte_free(buffer); + if (buf_to_free) + rte_free(buf_to_free); close_fd: close(file_fd); file_fd = 0; -- 2.7.3